MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

25.7.10

After several months without news of Koobface, at least on typical propagation using as cover to attack the classic fake YouTube screen, is back with another season of propagation.

This time, its spread continues through visual social engineering, but not in the template of course YouTube video but uses a page with pornographic content.

As shown in the catch, when you attempt to access any of the assumptions videos, a small window warns about the need to download a codec. By accepting, you download Koobface under the cover of a binary call codec.exe (5910e59d592781cec3234abf57f8d000), from IP address 91.188.59.10 that resolves domain 1zabslwvn538n4i5tcjl.com. This IP is used for the propagation of Koobface since March 2010.

In addition, the page contains an embedded script that redirects traffic to download a PDF file that contains an exploit for CVE-2008-2992.

Also at the same IP but makes it clear that his administration is being performed through a known crimeware: YES Exploit System.

The binary executable codec.exe is packed with UPX (UPX 0.89.6 - 1.02/1.05-1.22 -> Markus&Laszlo). When you turn generates a BAT (she committed suicide) with instructions to C&C, providing access to 1zabslwvn538n4i5tcjl.com from which drops the following malicious code:

This is a rogue copy of Security essentials 2010. It connects to getexepizdec.com (91.188.59.211) from which it downloads the file firewall.dll (a0160e8ede623b1df7d677b8d52fdc48) and getmsdfgee54.com (88.80.4.19) from which it downloads exe.exe (5839ca78aab96724aa646789ebc24305 - Olmarik) with a very low detection rate.

In short, the circuit that runs koobface from BKCNET "SIA" IZZI involves different parts of the area of crime that are interrelated to each other with the same goal: $$$$$ (feedback to the underground economy), leaving behind a real portfolio malware.

Under 91.188.59.10 is managed by a known crimeware costing underground market around $ 1000 and to be executed in charge of pointing the download of other malware on the victim computer, managed under the coordination of business members that increase their profits for each successful installation of the rogue.